Kluctl Controller API reference

Provider is the name of the decryption engine.

The secret name containing the private OpenPGP keys used for decryption.

ServiceAccount specifies the service account used to authenticate against cloud providers. This is currently only usable for AWS KMS keys. The specified service account will be used to authenticate to AWS by signing a token in an IRSA compliant way.

Branch to filter for. Can also be a regex.

Branch to filter for. Can also be a regex.

SecretRef holds the name of a secret that contains the Helm credentials. The secret must either contain the fields credentialsId which refers to the credentialsId found in https://kluctl.io/docs/kluctl/reference/deployments/helm/#private-chart-repositories or an url used to match the credentials found in Kluctl projects helm-chart.yaml files. The secret can either container basic authentication credentials via username and password or TLS authentication via certFile and keyFile. caFile can be specified to override the CA to use while contacting the repository. The secret can also contain insecureSkipTlsVerify: "true", which will disable TLS verification. passCredentialsAll: "true" can be specified to make the controller pass credentials to all requests, even if the hostname changes in-between.

Path to the directory containing the .kluctl.yaml file, or the Defaults to ‘None’, which translates to the root path of the SourceRef. Deprecated: Use source.path instead

Reference of the source where the kluctl project is. The authentication secrets from the source are also used to authenticate dependent git repositories which are cloned while deploying the kluctl project. Deprecated: Use source instead

Specifies the project source location

Decrypt Kubernetes secrets before applying them on the cluster.

The interval at which to reconcile the KluctlDeployment. By default, the controller will re-deploy and validate the deployment on each reconciliation. To override this behavior, change the DeployInterval and/or ValidateInterval values.

The interval at which to retry a previously failed reconciliation. When not specified, the controller uses the Interval value to retry failures.

DeployInterval specifies the interval at which to deploy the KluctlDeployment. It defaults to the Interval value, meaning that it will re-deploy on every reconciliation. If you set DeployInterval to a different value,

DeployOnChanges will cause a re-deployment whenever the rendered resources change in the deployment. This check is performed on every reconciliation. This means that a deployment will be triggered even before the DeployInterval has passed in case something has changed in the rendered resources.

ValidateInterval specifies the interval at which to validate the KluctlDeployment. Validation is performed the same way as with ‘kluctl validate -t ’. Defaults to the same value as specified in Interval. Validate is also performed whenever a deployment is performed, independent of the value of ValidateInterval

Timeout for all operations. Defaults to ‘Interval’ duration.

This flag tells the controller to suspend subsequent kluctl executions, it does not apply to already started executions. Defaults to false.

DEPRECATED RegistrySecrets is a list of secret references to be used for image registry authentication. The secrets must either have “.dockerconfigjson” included or “registry”, “username” and “password”. Additionally, “caFile” and “insecure” can be specified. Kluctl has deprecated querying the registry at deploy time and thus this field is also deprecated.

HelmCredentials is a list of Helm credentials used when non pre-pulled Helm Charts are used inside a Kluctl deployment.

The name of the Kubernetes service account to use while deploying. If not specified, the default service account is used.

The KubeConfig for deploying to the target cluster. Specifies the kubeconfig to be used when invoking kluctl. Contexts in this kubeconfig must match the context found in the kluctl target. As an alternative, specify the context to be used via ‘context’

RenameContexts specifies a list of context rename operations. This is useful when the kluctl target’s context does not match with the contexts found in the kubeconfig while deploying. This is the case when using kubeconfigs generated from service accounts, in which case the context name is always “default”.

Target specifies the kluctl target to deploy. If not specified, an empty target is used that has no name and no context. Use ‘TargetName’ and ‘Context’ to specify the name and context in that case.

TargetNameOverride sets or overrides the target name. This is especially useful when deployment without a target.

If specified, overrides the context to be used. This will effectively make kluctl ignore the context specified in the target.

Args specifies dynamic target args.

DEPRECATED UpdateImages instructs kluctl to update dynamic images. Equivalent to using ‘-u’ when calling kluctl. Setting this field to true is deprecated.

Images contains a list of fixed image overrides. Equivalent to using ‘–fixed-images-file’ when calling kluctl.

DryRun instructs kluctl to run everything in dry-run mode. Equivalent to using ‘–dry-run’ when calling kluctl.

NoWait instructs kluctl to not wait for any resources to become ready, including hooks. Equivalent to using ‘–no-wait’ when calling kluctl.

ForceApply instructs kluctl to force-apply in case of SSA conflicts. Equivalent to using ‘–force-apply’ when calling kluctl.

ReplaceOnError instructs kluctl to replace resources on error. Equivalent to using ‘–replace-on-error’ when calling kluctl.

ForceReplaceOnError instructs kluctl to force-replace resources in case a normal replace fails. Equivalent to using ‘–force-replace-on-error’ when calling kluctl.

ForceReplaceOnError instructs kluctl to abort deployments immediately when something fails. Equivalent to using ‘–abort-on-error’ when calling kluctl.

IncludeTags instructs kluctl to only include deployments with given tags. Equivalent to using ‘–include-tag’ when calling kluctl.

ExcludeTags instructs kluctl to exclude deployments with given tags. Equivalent to using ‘–exclude-tag’ when calling kluctl.

IncludeDeploymentDirs instructs kluctl to only include deployments with the given dir. Equivalent to using ‘–include-deployment-dir’ when calling kluctl.

ExcludeDeploymentDirs instructs kluctl to exclude deployments with the given dir. Equivalent to using ‘–exclude-deployment-dir’ when calling kluctl.

DeployMode specifies what deploy mode should be used. The options ‘full-deploy’ and ‘poke-images’ are supported. With ‘poke images’ option, only the images from the fixed images are exchanged and no complete deployment is triggered.

Validate enables validation after deploying

Prune enables pruning after deploying.

Delete enables deletion of the specified target when the KluctlDeployment object gets deleted.

(Members of ReconcileRequestStatus are embedded into this type.)

ObservedGeneration is the last reconciled generation.

LastAttemptedRevision is the revision of the last reconciliation attempt.

LastDeployResult is the result of the last deploy command

LastDeployResult is the result of the last prune command

LastValidateResult is the result of the last validate command

Discriminator is the discriminator found in the target when the last deployment was done. This is used to perform cleanup/deletion in case the KluctlDeployment project is deleted

ReadyForMigration is used to signal the new controller that this object is handled by a legacy controller version that will honor the existence of KluctlDeployment objects from the gitops.kluctl.io group.

SecretRef holds the name of a secret that contains a key with the kubeconfig file as the value. If no key is set, the key will default to ‘value’. The secret must be in the same namespace as the Kustomization. It is recommended that the kubeconfig is self-contained, and the secret is regularly updated if credentials such as a cloud-access-token expire. Cloud specific cmd-path auth helpers will not function without adding binaries and credentials to the Pod that is responsible for reconciling the KluctlDeployment.

(Members of ReconcileResultBase are embedded into this type.)

(Members of ReconcileResultBase are embedded into this type.)

Url specifies the Git url where the project source is located

Ref specifies the branch, tag or commit that should be used. If omitted, the default branch of the repo is used.

Path specifies the sub-directory to be used as project directory

SecretRef specifies the Secret containing authentication credentials for the git repository. For HTTPS repositories the Secret must contain ‘username’ and ‘password’ fields. For SSH repositories the Secret must contain ‘identity’ and ‘known_hosts’ fields.

AttemptedAt is the time when the attempt was performed

Revision is the source revision. Please note that kluctl projects have dependent git repositories which are not considered in the source revision

ObjectsHash is the hash of all rendered objects

OldContext is the name of the context to be renamed

NewContext is the new name of the context